Splunk Enterprise Security

Splunk App for Enterprise Security: Why do the Threatintel lookup files not work unless used after the table command?

hcheang
Path Finder

Hello,

I am using the threat intelligence lookup files from the Splunk App for Enterprise Security and the lookup file (e.g. threatintel_by_domain) is giving an error when it is not used after table.

For example,

index=* sourcetype=bluecoat | table cs_host user | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=*

works, but

index=* sourcetype=bluecoat | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user

gives error saying The lookup table 'threatintel_by_domain.csv' does not exist or is not available.

All my custom lookup files work without table, but all the lookups in threatintel does not work without table. I've checked the permission and they are all global so it is not an issue with permission.

Any suggestion?

0 Karma

woodcock
Esteemed Legend

You are referencing the lookup by filename but you need to be referencing it by definition. Go to Settings -> Lookup -> Lookup definitions and select the ES app (or "All") in "App Context" and search for threatintel_by_domain.csv in the search box. It will identify the Lookup definition that is associated with that table. When I did this, I found one that it is called threatintel_by_domain. Swap out this value in your search like this:

index=* sourcetype=bluecoat | lookup threatintel_by_domaindomain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user
0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...